diff --git a/tests/NFQUEUE-queue-bypass/Makefile b/tests/NFQUEUE-queue-bypass/Makefile new file mode 100644 index 0000000..a4553d4 --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +# Description: Test for "--queue-bypass" backport +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ales Zelinka " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for \"--queue-bypass\" backport" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/NFQUEUE-queue-bypass/PURPOSE b/tests/NFQUEUE-queue-bypass/PURPOSE new file mode 100644 index 0000000..4f2548e --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +Description: Test for "--queue-bypass" backport +Author: Ales Zelinka +Bug summary: "--queue-bypass" backport diff --git a/tests/NFQUEUE-queue-bypass/runtest.sh b/tests/NFQUEUE-queue-bypass/runtest.sh new file mode 100755 index 0000000..05213b7 --- /dev/null +++ b/tests/NFQUEUE-queue-bypass/runtest.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass +# Description: Test for "--queue-bypass" backport +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + + rlPhaseStartTest control-ping + rlRun "ping -w 2 -c 2 127.0.0.1" + rlPhaseEnd + + rlPhaseStartTest NFQUEUE-no-listener + rlRun "iptables -I INPUT -p icmp -j NFQUEUE" 0 "queue all icmp for userspace processing" + rlRun "ping -w 2 -c 2 127.0.0.1" 1-255 "ping 127.0.0.1 - none is listening on queue so packets will be dropped" + rlRun "iptables -D INPUT -p icmp -j NFQUEUE" 0 "removing the queue rule" + rlPhaseEnd + + rlPhaseStartTest NFQUEUE-no-listener-bypass + rlRun "iptables -I INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "queue all icmp for userspace processing, bypass if no one is listening" + rlRun "ping -w 2 -c 2 127.0.0.1" 0 "ping 127.0.0.1 - none is listening on queue - bypass will make packets go through" + rlRun "iptables -D INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "removing the queue rule" + rlPhaseEnd + +rlJournalPrintText +rlJournalEnd diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile b/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile new file mode 100644 index 0000000..5a56668 --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +# Description: Test for [RFE] Enable the missing IPv6 "SET" target +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for [RFE] Enable the missing IPv6 \"SET\" target" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE b/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE new file mode 100644 index 0000000..baa182c --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +Description: Test for [RFE] Enable the missing IPv6 "SET" target +Author: Tomas Dolezal +Bug summary: [RFE] Enable the missing IPv6 "SET" target userland ip6tables support to enable ipset to be usable with IPv6 diff --git a/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh b/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh new file mode 100755 index 0000000..32eab99 --- /dev/null +++ b/tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target +# Description: Test for [RFE] Enable the missing IPv6 "SET" target +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +IPSET=testset6 + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ipset create $IPSET hash:ip family inet6" + rlRun "ipset add testset6 1234::3456" + rlRun "ip6tables-save -t filter > ipt6.save" + rlPhaseEnd + + rlPhaseStartTest + RULE1="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j LOG --log-prefix 'LOG:IPSET added to $IPSET'" + RULE2="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j SET --add-set $IPSET src" + for op in -A -C -D; do #add, check, delete + rlRun "ip6tables $op $RULE1" 0 "do $op logrule" + rlRun "ip6tables $op $RULE2" 0 "do $op -j SET rule" + done + rlRun "ip6tables-save -t filter > ipt6.save2" + rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt6*" 0 "magically unify savefiles" + rlAssertNotDiffer ipt6.save ipt6.save2 + diff -u ipt6.save ipt6.save2 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ipset destroy $IPSET" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile new file mode 100644 index 0000000..33fb03c --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +# Description: Test for RFE iptables add -C option to iptables in RHEL6 to +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE rules.in + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for RFE iptables add -C option to iptables in RHEL6 to" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE new file mode 100644 index 0000000..2f3ed01 --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +Description: Test for RFE iptables add -C option to iptables in RHEL6 to +Author: Tomas Dolezal +Bug summary: RFE: iptables: add -C option to iptables in RHEL6 to check for existing rules diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in new file mode 100644 index 0000000..454f78f --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in @@ -0,0 +1,50 @@ +# vim: ft=sh +rules4=( +"-t nat -A POSTROUTING -o tun+ -j MASQUERADE" +"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited" +"-A INPUT -p icmp -j ACCEPT" +"-A INPUT -i lo -j ACCEPT" +"-A INPUT -i ippp+ -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT" +"-A INPUT -p ah -j ACCEPT" +"-A INPUT -p esp -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT" +"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A FORWARD -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited" +"-A FORWARD -p icmp -j ACCEPT" +"-A FORWARD -i lo -j ACCEPT" +"-A FORWARD -i ippp+ -j ACCEPT" +"-A FORWARD -o tun+ -j ACCEPT" +"-A INPUT -j REJECT --reject-with icmp-host-prohibited" +"-A FORWARD -j REJECT --reject-with icmp-host-prohibited" +) + +rules6=( +"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A INPUT -p ipv6-icmp -j ACCEPT" +"-A INPUT -i lo -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT" +"-A INPUT -i ippp+ -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT" +"-A INPUT -m ipv6header --header ah -j ACCEPT" +"-A INPUT -m ipv6header --header esp -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT" +"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT" +"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT" +"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" +"-A FORWARD -p ipv6-icmp -j ACCEPT" +"-A FORWARD -i lo -j ACCEPT" +"-A FORWARD -i ippp+ -j ACCEPT" +"-A INPUT -j REJECT --reject-with icmp6-adm-prohibited" +"-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited" +) diff --git a/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh new file mode 100755 index 0000000..438468d --- /dev/null +++ b/tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6 +# Description: Test for RFE iptables add -C option to iptables in RHEL6 to +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +TESTD=$PWD + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "source $TESTD/rules.in" 0 "read ruleset" + rlRun "iptables -F" + rlRun "ip6tables -F" + rlPhaseEnd + + rlPhaseStartTest + declare -i sane=0 + for i in ${!rules4[*]}; do + let sane++ + rlRun "iptables ${rules4[$i]}" + testrule="${rules4[$i]/-A/-C}" + rlRun "iptables $testrule" + done + for i in ${!rules6[*]}; do + let sane++ + rlRun "ip6tables ${rules6[$i]}" + testrule="${rules6[$i]/-A/-C}" + rlRun "ip6tables $testrule" + done + #check itercount + if [[ $sane -lt 40 ]]; then + rlFail "test insane, do inspect" # rules were not properly loaded! + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "iptables -F" + rlRun "iptables -t nat -F" + rlRun "ip6tables -F" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/Makefile b/tests/TRACE-target-of-iptables-can-t-work-in/Makefile new file mode 100644 index 0000000..7df75a1 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +# Description: Test for TRACE target of iptables can't work in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for TRACE target of iptables can't work in" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE b/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE new file mode 100644 index 0000000..7b690d2 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +Description: Test for TRACE target of iptables can't work in +Author: Tomas Dolezal +Bug summary: TRACE target of iptables can't work in RHEL7.1/RHEL7.2 diff --git a/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh b/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh new file mode 100755 index 0000000..889c1b6 --- /dev/null +++ b/tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in +# Description: Test for TRACE target of iptables can't work in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +SERVICES="iptables ip6tables firewalld" + +prepare_page() { + section=$1 + name=$2 + dest=${name}.manpage + zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest} + rlAssertExists ${dest} +} + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel + rlLogInfo $(uname -r) + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + prepare_page 8 iptables-extensions + for svc in $SERVICES; do + rlServiceStop $svc + done + rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface" + IFACE="$(< default-iface)" + rlAssertExists "/sys/class/net/$IFACE" + rlRun "ip route save > ip-route.save" 0 "save routing info" + rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info" + rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route" + rlRun "rmmod nf_log_ipv4" 0,1 + rlRun "rmmod nf_log_ipv6" 0,1 + rlPhaseEnd + + rlPhaseStartTest "manpage check" + rlAssertGrep "nfnetlink_log" iptables-extensions.manpage + if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then + # RHEL version-specific libxt_TRACE man page patchs + rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage + rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei + fi + rlPhaseEnd + + ipv4_ping() { + rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)" + } + ipv6_ping() { + rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)" + } + get_messages() { + if rlIsFedora; then + journalctl -qkb + else + cat /var/log/messages + fi + } + + rlPhaseStartTest "iptables_TRACE" + rlRun "get_messages > messages.log-orig" + rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0 + rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0 + if rlTestVersion "$(uname -r)" "<" "4.6"; then + ipv4_ping; ipv6_ping + rlRun "get_messages > messages.current" + + rlRun "diff messages.log-orig messages.current > diff.1" 0,1 + echo --debug_START-- + cat diff.1 + echo --debug_END-- + rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module" + rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module" + rlAssertNotGrep "TRACE" diff.1 + else + rlLogInfo "new kernel detected: skipping loading modules and associated checks" + fi + ipv4_ping; ipv6_ping + rlRun "get_messages > messages.current" + + rlRun "diff messages.log-orig messages.current > diff.2" 0,1 + rlAssertGrep "TRACE" diff.2 + rlAssertGrep "TRACE.*PROTO=ICMP " diff.2 + rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2 + echo --debug_START-- + cat diff.2 + echo --debug_END-- + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ip route flush default" 0 "flush ip route data" + rlRun "ip -6 route flush default" 0 "flush ipv6 route data" + rlRun "ip route restore < ip-route.save" 0 "restore routing info" + rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6" + rlRun "iptables -t raw -F" + rlRun "ip6tables -t raw -F" + rlRun "rmmod nf_log_ipv4" + rlRun "rmmod nf_log_ipv6" + rlRun "rmmod nf_log_common" + rlRun "rmmod nfnetlink_log" 0,1 + rlLogInfo "restoring services" + for svc in $SERVICES; do + rlServiceRestore $svc + done + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile b/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile new file mode 100644 index 0000000..7ebab54 --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +# Description: Test for backport iptables add libxt_cgroup frontend +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for backport iptables add libxt_cgroup frontend" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables libcgroup-tools" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE b/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE new file mode 100644 index 0000000..ec49073 --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +Description: Test for backport iptables add libxt_cgroup frontend +Author: Tomas Dolezal +Bug summary: Backport: iptables: add libxt_cgroup frontend diff --git a/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh b/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh new file mode 100755 index 0000000..888dfbd --- /dev/null +++ b/tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend +# Description: Test for backport iptables add libxt_cgroup frontend +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +CGNUM="15" +CGNAME="15" +CGDIR="/sys/fs/cgroup/net_cls/$CGNAME" +DEST_IP4="192.0.2.99" # TEST-NET-1 +DEST_IP42="192.0.2.199" # TEST-NET-1 +DEST_IP6="2001:0db8:0000:0000:0000:0000:0000:abc0" #has to be expanded due to matching ! +DEST_IP62="2001:0db8:0000:0000:0000:0000:0000:abc1" +SKIP6=false + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + # rlAssertRpm kernel-$(uname -r) + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + if rlIsRHEL '>=7'; then + rlServiceStop firewalld + sleep 1 + fi + rlLogInfo "check if net_cls cgroup is present" + rlAssertGrep "cgroup.*net_cls" /proc/mounts + rlRun "cgcreate -g net_cls:$CGNAME" 0 "create cgroup '15'" + rlRun "echo $CGNUM > $CGDIR/net_cls.classid" 0 "assign numerical id to cgroup" + rlPhaseEnd + + rlPhaseStartTest + ping -W 1 -c 30 $DEST_IP4 & + PING4_P1=$! EC4=$? + ping -W 1 -c 30 $DEST_IP42 & + PING4_P2=$! EC42=$? + rlRun "[[ $EC4 -eq 0 && $EC42 -eq 0 ]]" 0 "ping ipv4 running to $DEST_IP4, $DEST_IP42" + + ping6 -W 1 -c 30 $DEST_IP6 & + PING6_P1=$! EC6=$? + sleep 1 + if [[ $EC6 -eq 2 ]] || ! kill -0 $PING6_P1 2>/dev/null; then + rlLogInfo "skipping ipv6 test, network stack unavailable" + SKIP6=true + else + ping6 -W 1 -c 30 $DEST_IP62 & + PING6_P2=$! + rlRun "kill -0 $PING6_P1 && kill -0 $PING6_P2" 0 "ping ipv6 running to $DEST_IP6, $DEST_IP62" + fi + journalctl -fkb > dmesg.out & + DMESG_P=$! + echo > dmesg.out # clear dmesg out + + rlRun "iptables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG" + rlRun "ip6tables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG" + + rlRun "echo $PING4_P2 >> $CGDIR/tasks" 0 "Add second ping to cgroup '15'" + $SKIP6 || rlRun "echo $PING6_P2 >> $CGDIR/tasks" 0 "Add second ping6 to cgroup '15'" + cat $CGDIR/tasks + sleep 10 + cat dmesg.out + rlAssertGrep "$DEST_IP42" dmesg.out + $SKIP6 || rlAssertGrep "$DEST_IP62" dmesg.out + rlAssertNotGrep "$DEST_IP4" dmesg.out + rlAssertNotGrep "$DEST_IP6" dmesg.out + rlPhaseEnd + + rlPhaseStartCleanup + kill $DMESG_P + # pings die after 30s of execution either way + kill $PING4_P1 + kill $PING4_P2 + $SKIP6 || kill $PING6_P1 + $SKIP6 || kill $PING6_P2 + sleep 1 + + rlRun "iptables -F" 0 "cleanup iptables" + rlRun "ip6tables -F" 0 "cleanup ip6tables" + rlServiceRestore firewalld + rlRun "cgdelete -g net_cls:$CGNAME" 0 "delete cgroup" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/initscript-sanity/Makefile b/tests/initscript-sanity/Makefile new file mode 100644 index 0000000..cae5ac3 --- /dev/null +++ b/tests/initscript-sanity/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Sanity/initscript-sanity +# Description: initscript-sanity +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Sanity/initscript-sanity +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: initscript-sanity" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/initscript-sanity/PURPOSE b/tests/initscript-sanity/PURPOSE new file mode 100644 index 0000000..a533943 --- /dev/null +++ b/tests/initscript-sanity/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Sanity/initscript-sanity +Description: initscript-sanity +Author: Tomas Dolezal +Bug summary: Can not "service iptables save": restorecon not found diff --git a/tests/initscript-sanity/runtest.sh b/tests/initscript-sanity/runtest.sh new file mode 100755 index 0000000..e270b78 --- /dev/null +++ b/tests/initscript-sanity/runtest.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Sanity/initscript-sanity +# Description: initscript-sanity +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest + rlLogInfo 'Can not "service iptables save": restorecon not found' + if rlIsRHEL 6 7 ; then + rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/iptables.init + rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/ip6tables.init + else + rlLogInfo 'skipping: test not applicable to this OS release' + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/inventory b/tests/inventory new file mode 100755 index 0000000..b118a5a --- /dev/null +++ b/tests/inventory @@ -0,0 +1,3 @@ +#!/bin/bash +export TEST_DOCKER_EXTRA_ARGS="--privileged" +exec merge-standard-inventory "$@" diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile new file mode 100644 index 0000000..5b7f979 --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile @@ -0,0 +1,62 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +# Description: Test for while adding iptables rules with ipv6 sets in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for while adding iptables rules with ipv6 sets in" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables bridge-utils ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE new file mode 100644 index 0000000..a3cf0eb --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +Description: Test for while adding iptables rules with ipv6 sets in +Author: Tomas Dolezal +Bug summary: while adding iptables rules with ipv6 sets in destination direction, either individually or combined with source we see error messages. diff --git a/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh new file mode 100755 index 0000000..75f7413 --- /dev/null +++ b/tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets +# Description: Test for while adding iptables rules with ipv6 sets in +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ip6tables-save > ip6tables.backup" + rlRun "iptables-save > iptables.backup" + rlRun "brctl addbr testbr" 0 "create bridge iface" + rlPhaseEnd + + rlPhaseStartTest + rlRun "ipset create ipsetv6 hash:net timeout 60 family inet6" 0 "Create hash:net ipset for ipv6" + rlRun "ipset create ipsetv4 hash:net timeout 60 family inet" 0 "Create hash:net ipset for ipv4" + rlRun "ipset list ipsetv6" 0 "verify ipsetv6 presence" + rlRun "ipset list ipsetv4" 0 "verify ipsetv4 presence" +# echo waiting; read; echo cont + checkRule() { + binary="$1" + comment="$2" + rlRun "$binary -t mangle $RULE" 0 "$comment" + rlRun "$binary-save | grep -qe '$RULE'" 0 "verify rule" + } + for i in dst src dst,src src,dst; do + # 6,4 (+) + RULE="-A PREROUTING -i testbr -m set --match-set ipsetv6 $i -j ACCEPT" + checkRule ip6tables "[ipv6] direction: $i. adding ip6tables rule to match set" + RULE="-A PREROUTING -i testbr -m set --match-set ipsetv4 $i -j ACCEPT" + checkRule iptables "[ipv4] direction: $i. adding iptables rule to match set" + + # 6,4 (-) + RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv6 $i -j ACCEPT" + checkRule ip6tables "[ipv6] direction: $i. adding negated ip6tables rule to match set" + RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv4 $i -j ACCEPT" + checkRule iptables "[ipv4] direction: $i. adding negated iptables rule to match set" + done + ip6tables-save + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ip6tables -t mangle -F" + rlRun "iptables -t mangle -F" + rlRun "ip6tables-restore < ip6tables.backup" + rlRun "iptables-restore < iptables.backup" + rlRun "ip link set down dev testbr" + rlRun "brctl delbr testbr" 0 "remove bridge iface" + rlRun "ipset destroy ipsetv6" 0 "remove ipv6 ipset" + rlRun "ipset destroy ipsetv4" 0 "remove ipv4 ipset" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile new file mode 100644 index 0000000..e489837 --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +# Description: Test for ip6tables service does not allow dhcpv6-client by +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for ip6tables service does not allow dhcpv6-client by" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables iptables-services" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE new file mode 100644 index 0000000..453fc1e --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +Description: Test for ip6tables service does not allow dhcpv6-client by +Author: Tomas Dolezal +Bug summary: ip6tables service does not allow dhcpv6-client by default diff --git a/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh new file mode 100755 index 0000000..f59a908 --- /dev/null +++ b/tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by +# Description: Test for ip6tables service does not allow dhcpv6-client by +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "cp /etc/sysconfig/ip6tables ." + rlPhaseEnd + + rlPhaseStartTest + rlRun "sed -ie '/REJECT/,// d' ip6tables" 0 "remove all rejected rules" + echo --debug--; cat ip6tables + rlAssertGrep "-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT" ip6tables + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile new file mode 100644 index 0000000..13ff3c8 --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE new file mode 100644 index 0000000..a4b72da --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +Author: Tomas Dolezal +Bug summary: ip6tables -t nat -A POSTROUTING/OUTPUT with DROP target can't filter packets diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh new file mode 100644 index 0000000..1d3e2ab --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +ip netns del cs_client >/dev/null 2>&1 +ip link del veth0 >/dev/null 2>&1 + +ip netns add cs_client +ip link add type veth +ip link set veth1 name eth1 netns cs_client + +export cs_client_if1=eth1 +export cs_server_if1=veth0 +export cs_client_ip1=2001:db8:ffff::1 +export cs_server_ip1=2001:db8:ffff::2 + +ip netns exec cs_client ip link set $cs_client_if1 up +ip link set $cs_server_if1 up +ip netns exec cs_client ip -6 addr add $cs_client_ip1/64 dev $cs_client_if1 +ip -6 addr add $cs_server_ip1/64 dev $cs_server_if1 +ip netns exec cs_client ifconfig lo up +ifconfig lo up diff --git a/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh new file mode 100755 index 0000000..79b2696 --- /dev/null +++ b/tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP +# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +SERVICES="iptables ip6tables firewalld" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + for svc in $SERVICES; do + rlServiceStop $svc + done + rlRun "iptables -t nat -F" + rlRun "ip6tables -t nat -F" + rlPhaseEnd + + rlPhaseStartTest + table="nat" + assert_string="nat.*intended.*inhibited" + for chain in PREROUTING INPUT OUTPUT POSTROUTING; do + rlLogInfo "checking chain $chain" + rlRun "iptables -t $table -A $chain -p icmp -j DROP 2>iptables.stderr" 2 \ + "iptables: Failure to accept DROP to '$table/$chain' chain" + rlRun "ip6tables -t $table -A $chain -p icmpv6 -j DROP 2>ip6tables.stderr" 2 \ + "ip6tables: Failure to accept DROP to '$table/$chain' chain" + rlAssertGrep "$assert_string" iptables.stderr -E + rlAssertGrep "$assert_string" ip6tables.stderr -E + rm -f iptables.stderr ip6tables.stderr + echo --debug_START-- + set -x + iptables-save | grep -E '\*|icmp' + ip6tables-save | grep -E '\*|icmp' + set +x + echo --debug_END-- + done + rlRun "iptables-save > ipt4.out" + rlRun "ip6tables-save > ipt6.out" + rlAssertNotGrep "icmp" ipt4.out + rlAssertNotGrep "icmp" ipt6.out + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "iptables -t nat -F" + rlRun "ip6tables -t nat -F" + rlLogInfo "restoring services" + for svc in $SERVICES; do + rlServiceRestore $svc + done + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile b/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile new file mode 100644 index 0000000..99883bc --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +# Description: Test for iptables rule deletion fails for rules that use +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables rule deletion fails for rules that use" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables ipset" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE b/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE new file mode 100644 index 0000000..af508e8 --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +Description: Test for iptables rule deletion fails for rules that use +Author: Tomas Dolezal +Bug summary: iptables rule deletion fails for rules that use ipset match "--match-set" diff --git a/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh b/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh new file mode 100755 index 0000000..d17e693 --- /dev/null +++ b/tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use +# Description: Test for iptables rule deletion fails for rules that use +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" +IPSET4="ipsetv4" +IPSET6="ipsetv6" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "ipset create $IPSET4 hash:ip" + rlRun "ipset create $IPSET6 hash:ip family inet6" + rlRun "iptables-save -t mangle > ipt4.save" + rlRun "ip6tables-save -t mangle > ipt6.save" + rlPhaseEnd + + rlPhaseStartTest + RULE40="-A PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT" + RULE40d="-D PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT" + RULE41="-A PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src" + RULE41d="-D PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src" + RULE60="-A PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT" + RULE60d="-D PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT" + RULE61="-A PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src" + RULE61d="-D PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src" + for RULE in "$RULE40" "$RULE40d" "$RULE41" "$RULE41d"; do + rlRun "iptables -t mangle $RULE" + done + for RULE in "$RULE60" "$RULE60d" "$RULE61" "$RULE61d"; do + rlRun "ip6tables -t mangle $RULE" + done + rlRun "iptables-save -t mangle > ipt4.save2" + rlRun "ip6tables-save -t mangle > ipt6.save2" + rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt4* ipt6*" 0 "magically unify savefiles" + rlAssertNotDiffer ipt4.save ipt4.save2 + rlAssertNotDiffer ipt6.save ipt6.save2 + diff -u ipt4.save ipt4.save2 + diff -u ipt6.save ipt6.save2 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "ipset destroy $IPSET4" + rlRun "ipset destroy $IPSET6" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-save-cuts-space-before-j/Makefile b/tests/iptables-save-cuts-space-before-j/Makefile new file mode 100644 index 0000000..66b2599 --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +# Description: Test for iptables-save cuts space before -j +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables-save cuts space before -j" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-save-cuts-space-before-j/PURPOSE b/tests/iptables-save-cuts-space-before-j/PURPOSE new file mode 100644 index 0000000..cb0a83a --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +Description: Test for iptables-save cuts space before -j +Author: Tomas Dolezal +Bug summary: iptables-save cuts space before -j diff --git a/tests/iptables-save-cuts-space-before-j/runtest.sh b/tests/iptables-save-cuts-space-before-j/runtest.sh new file mode 100755 index 0000000..a6a5099 --- /dev/null +++ b/tests/iptables-save-cuts-space-before-j/runtest.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j +# Description: Test for iptables-save cuts space before -j +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlServiceStart iptables + rlPhaseEnd + + rlPhaseStartTest + RULE="-A INPUT -p dccp -m dccp --dccp-type RESET,INVALID -j LOG" + if rlIsRHEL '>6' || rlIsFedora; then + RULE="${RULE/type/types}" # it is exported under other name + fi + rlLogInfo "using rule '$RULE'" + rlRun "iptables $RULE" 0 "add rule for ipv4" + rlRun "ip6tables $RULE" 0 "add rule for ipv6" + rlRun "iptables-save | grep -- '$RULE'" 0 "check rule for ipv4" + rlRun "ip6tables-save | grep -- '$RULE'" 0 "check rule for ipv6" + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceStop iptables + rlServiceRestore iptables + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/iptables-save-modprobe-option/Makefile b/tests/iptables-save-modprobe-option/Makefile new file mode 100644 index 0000000..7364207 --- /dev/null +++ b/tests/iptables-save-modprobe-option/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/iptables-save-modprobe-option +# Description: Test for iptables-save man page completely wrong - which +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/iptables-save-modprobe-option +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ales Zelinka " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for iptables-save man page completely wrong - which" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/iptables-save-modprobe-option/PURPOSE b/tests/iptables-save-modprobe-option/PURPOSE new file mode 100644 index 0000000..934d1b1 --- /dev/null +++ b/tests/iptables-save-modprobe-option/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/iptables-save-modprobe-option +Description: Test for iptables-save man page completely wrong - which +Author: Ales Zelinka +Bug summary: iptables-save man page completely wrong - which conflicting arguments should work? diff --git a/tests/iptables-save-modprobe-option/runtest.sh b/tests/iptables-save-modprobe-option/runtest.sh new file mode 100755 index 0000000..22951c4 --- /dev/null +++ b/tests/iptables-save-modprobe-option/runtest.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/iptables-save-modprobe-option +# Description: Test for iptables-save man page completely wrong - which +# Author: Ales Zelinka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartTest + rlAssertRpm $PACKAGE + rlRun "iptables-save -M /dev/null" 0 "iptables-save -M ... supported" + rlRun "iptables-save --modprobe /dev/null" 0 "iptables-save --modprobe ... supported" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..dead758 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,91 @@ +--- +- hosts: localhost + tags: [ always ] + tasks: + - set_fact: + our_required_packages: + - iproute # multiple tests need ip command + - iputils # multiple tests need ping/ping6 commands + - iptables # multiple tests need iptables/ip6tables commands + - iptables-services # multiple tests need iptables/ip6tables config files + - initscripts # multiple tests need system command + - libcgroup-tools # backport-iptables-add-libxt-cgroup-frontend needs cg* commands + - bridge-utils # ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets needs brctl command + - ipset # multiple tests need ipset command + - strace # xtables-tools-locking-vulnerable-to-local-DoS needs strace command + - policycoreutils # initscript-sanity needs restorecon command + +- hosts: localhost + tags: + - rhts-all + roles: + - role: standard-test-rhts + tests: + - backport-iptables-add-libxt-cgroup-frontend + - initscript-sanity + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - TRACE-target-of-iptables-can-t-work-in + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - classic + - beakerlib-all + roles: + - role: standard-test-beakerlib + tests: + - backport-iptables-add-libxt-cgroup-frontend + - initscript-sanity + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - TRACE-target-of-iptables-can-t-work-in + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - container + roles: + - role: standard-test-beakerlib + tests: + #- backport-iptables-add-libxt-cgroup-frontend # journaling/logging issues? + - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets + - ip6tables-service-does-not-allow-dhcpv6-client-by + - ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP + - iptables-rule-deletion-fails-for-rules-that-use + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-Enable-the-missing-IPv6-SET-target + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - xtables-tools-locking-vulnerable-to-local-DoS + required_packages: "{{ our_required_packages }}" + +- hosts: localhost + tags: + - atomic + roles: + - role: standard-test-beakerlib + tests: + - ip6tables-service-does-not-allow-dhcpv6-client-by + - iptables-save-cuts-space-before-j + - iptables-save-modprobe-option + - NFQUEUE-queue-bypass + - RFE-iptables-add-C-option-to-iptables-in-RHEL6 + - xtables-tools-locking-vulnerable-to-local-DoS diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile b/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile new file mode 100644 index 0000000..0e56bcd --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +# Description: Test for xtables tools locking vulnerable to local DoS +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Tomas Dolezal " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for xtables tools locking vulnerable to local DoS" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: iptables" >> $(METADATA) + @echo "Requires: iptables strace" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE b/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE new file mode 100644 index 0000000..3a8ebe8 --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +Description: Test for xtables tools locking vulnerable to local DoS +Author: Tomas Dolezal +Bug summary: xtables tools locking vulnerable to local DoS diff --git a/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh b/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh new file mode 100755 index 0000000..c3223b5 --- /dev/null +++ b/tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS +# Description: Test for xtables tools locking vulnerable to local DoS +# Author: Tomas Dolezal +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2015 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="iptables" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest + rlRun "strace -fe flock,bind,open,openat -o strace.out iptables -w -L" 0 "execute iptables in strace" + echo --debug--; cat strace.out + rlAssertNotGrep "bind.*xtables" strace.out -E + rlAssertGrep " flock(" strace.out + rlAssertGrep "/run/xtables.lock" strace.out + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd